SlideShare a Scribd company logo

Hadoop Security Now and Future

T
tcloudcomputing-tw

This document discusses data encryption in Hadoop. It describes two common cases for encrypting data: using a Crypto API to encrypt/decrypt with an AES key stored in a keystore, and encrypting MapReduce outputs using a CryptoContext. It also covers the Hadoop Encryption Framework APIs, HBase encryption via HBASE-7544, and related JIRAs around Hive and Pig encryption. Key management tools like keytool and potential future improvements like Knox gateway integration are also mentioned.

TechnologyEducation
1 of 56
Download to read offline
A TCloud Trender 徐啟超
WITHOUT KERBEROS • Authorization Ensuring the user can only do things that they are allowed to do • Yes: Owner/Group Permission • Authentication Ensuring the user is who they claim to be • NO
WITH KERBEROS
WITH KERBEROS
KERBEROS CONFIG BECOMING EASY • Cloudera • Cloudera Manager • HDP • Ambari – Security Wizard --- ambari-1.2.5
HADOOP GATEWAYS client Firewall Gateway Hadoop Cluster
HADOOP GATEWAY - NOW • Webhdfs • Rest: curl "http://GATEWAYHOST/webhdfs/v1/PATH?[user.name=USER&]op=…” • Hadoop: hadoop fs -fs webhdfs://GATEWAYHOST:14000 -cat FILe_PATH • Oozie • REST API , supports direct submission of MapReduce, Pig, and Hive jobs • Steps • Use webhdfs to upload your files and jars • create an oozie workflow • Hbase • Hbase Stargate Rest Gateway • Hbase Thrift server
HADOOP GATEWAY - FUTURE • Apache Knox Gateway Provides a single point of authentication and access for Apache™ Hadoop® services in a cluster
HADOOP GATEWAY - FUTURE • Apache Knox Gateway • Integrate with the existing frameworks for Active Directory /LDAP • Shell and Rest Interface support • Currently working on kerberized cluster support
HADOOP DATA ENCRYPTION • Disk Encryption • Partition Encryption  dm-crypt • File System Encryption • Folder Encryption  encryptfs • Hadoop Encryption Framework • Just encrypt what it should be
HADOOP ENCRYPTION FRAMEWORK - API Local File HDFS encrypt/ decrypt HDFS File Encrypt/decry pt
HADOOP ENCRYPTION FRAMEWORK - MR File Map File Reduce HDFS HDFS File Encryption/Decryption All the Path(Stages)
JIRAS • hadoop-9331: Hadoop crypto codec framework and crypto codec implementations • hadoop-9332: Crypto codec implementations for AES • hadoop-9333: Hadoop crypto codec framework based on compression codec • mapreduce-5025: Key Distribution and Management for supporting crypto codec in Map Reduce • hbase-7544: Transparent table/CF encryption
Brief • Two Crypto Typical Case in Hadoop • Crypto API Case: Using AES Key (Store in KeyStore) to Encrypt/Decrypt Data • MR CryptoContext Case: Encrypt the MR output • Tool – Distcrypto • Hbase Encryption • Other Related JIRAs and Security Key Store(Manager) • TODOs
KEY STORE TOOL - KEYTOOL A key and certificate management utility. • Create & Store an AES key • keytool -keystore /tmp/hbase.jks -storetype jceks -storepass 123456 -genseckey - keyalg AES -keysize 256 -alias hbase • Create & Store an RSA Private Key • keytool -genkey -keyalg RSA -keysize 2048 -storetype jceks -storepass 123456 - keystore privateKeyStore.jks -alias testPrivate • Export Certificate from KeyStore to a cert file • keytool -export -keystore privateKeyStore.jks -storetype jceks -storepass 123456 - alias testPrivate -file publicKey.crt • Import a cert file to a KeyStore • keytool -import -trustcacerts -file publicKey.crt -storetype jceks -storepass 123456 - alias testPublic -keystore publicKeyStore.jks
CRYPTO API CASE: USING AES KEY (STORE IN KEYSTORE) TO ENCRYPT/DECRYPT DATA
CRYPTO API CASE: USING AES KEY (STORE IN KEYSTORE) TO ENCRYPT/DECRYPT DATA Use Crypto API to retrieve AES secret key from a key store file and use the key to encrypt/decrypt data • KeyProvider • CryptoContext • CryptoCodec • Sample Code
KeyProvider - KeyStoreKeyProvider • To retrieve secret key from specified Key Store File • Parameters • keyStoreUrl & password • keyStoreType: JCE, JCEKS …… • keyPasswordFile & sharePassword • Initial: keyProvider.init(String parameters) • String parameters = “file:///etc/keystore/mapred.jks&keyStoreType=JCEKS &password=123456” • String parameters = KeyStoreKeyProvider.getKeyStoreParameterString(fileUrl, StoreType, StorePassword, null, true); • Get: keyProvider.getKeys(String [])
CryptoContext • To store key related info • Key Attributes • Raw Key Data • Key Type: SYMMETRIC_KEY, PUBLIC_KEY, PRIVATE_KEY, CERTIFICATE • Cryptographic Algorithm: e.g AES • Cryptographic Length
CryptoCodec • A wrap, contain CryptoContext and provide Crypto IO Stream • Major member • CryptoContext • Crypto IO Stream Method • createOutputStream(……) • createInputStream(……)
SAMPLE CODE --- FILE ENCRYPTION
SAMPLE CODE --- FILE ENCRYPTION - conti
MR CRYPTOCONTEXT CASE: ENCRYPT THE MR OUTPUT
MR CRYPTOCONTEXT CASE: ENCRYPT THE MR OUTPUT Using provided CryptoContext to encrypt the Map Reduce output • KeyProviderConfig • CryptoContextProvider • Sample Code
KeyProviderConfig • Members • keyProvider • keyProviderParameters • Methods • getKeyProvider() • getKeyProviderParameters()
CryptoContextProvider Provide several static helper methods to update Crypto related Job Configurations. For example, store the following Parameters and Secrets to the Job Credential in the secret key list • mapred.[[[STAGE]]].crypto.context.provider.parameters • mapred.[[[STAGE]]].crypto.context.secrets [[[STAGE]]]: input, output, map.output  AbstractCryptoContextProvider  FileMatchCryptoContextProvider  KeyProviderCryptoContextProvider Credentials credentials = jobConf.getCredentials(); credentials.addSecretKey(new Text("mapred.map.output.crypto.context.provider.parameters"), parameters); credentials.addSecretKey(new Text("mapred.map.output.crypto.context.secrets"), secrets);
AbstractCryptoContextProvider  Methods  setInputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)  setMapOutputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)  setOutputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)
FileMatchCryptoContextProvider Provides the ability to select the appropriate CryptoContext according to the file path FileMatches fileMatches = new FileMatches(KeyContext.derive("12345678")); fileMatches.addMatch("^.*/input1.intel_aes$", KeyContext.derive("1234")); fileMatches.addMatch("^.*/input2.intel_aes$", KeyContext.derive("5678")); FileMatchCryptoContextProvider.setInputCryptoContextProvider(jobConf, fileMatches, null);
KeyProviderCryptoContextProvider Not only include the capability of FileMatchCryptoContextProvider also provide the ability to retrieve the Key from Key Store FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 128)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true); KeyProviderCryptoContextProvider.setInputCryptoContextProvider(jobConf, fileMatches, true, keyProviderConfig);
SAMPLE CODE - ENCRYPT THE MR OUTPUT Configuration conf = new Configuration(); Job job = new Job(conf, "wordcount"); JobConf jobConf = (JobConf)job.getConfiguration();
SAMPLE CODE - ENCRYPT THE MR OUTPUT Configuration conf = new Configuration(); Job job = new Job(conf, "wordcount"); JobConf jobConf = (JobConf)job.getConfiguration(); FileOutputFormat.setOutputCompressorClass(job, AESCodec.class); jobConf.set(AESCodec.CRYPTO_COMPRESSOR, org.apache.hadoop.io.compress.SnappyCodec);
SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256));
SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true);
SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true); KeyProviderCryptoContextProvider.setOutputCryptoContextProvider(jobConf, fileMatches, false, keyProviderConfig); ……. job.waitForCompletion(true);
MORE IN KeyProviderCryptoContextProvider • Using asymmetric key (RSA) to protect Parameters & Secrets
MORE IN KeyProviderCryptoContextProvider • Using asymmetric key (RSA) to protect Parameters & Secrets CredentialProtection credentialProtection = new CredentialProtection(jobConf, RSACredentialProtectionCodec.class, encryptionKeyProviderConfig, encryptionKeyName, decryptionKeyProviderConfig, decryptionKeyName); KeyProviderCryptoContextProvider.setInputCryptoContextProvider( jobConf, fileMatches, false, keyProviderConfig, credentialProtection);
MORE IN KeyProviderCryptoContextProvider - Conti • How to use Customized KeyProvider in KeyProviderCryptoContextProvider String keyProviderParameters = KeyStoreKeyProvider.getKeyStoreParameterString( keyStoreFile, keyStoreType, keyStorePassword, keyStorePasswordFile, sharedPassword); KeyProviderConfig keyProviderConfig = new KeyProviderConfig( CustomizeKeyStoreKeyProvider.class.getName(), keyProviderParameters);
TOOL – DISTCRYPTO Use MapReduce Job to encrypt, decrypt or key rotate multiple files • Usage • -op <operation> : "encrypt”, "decrypt" and "rotate” • --ek <encryption key> • -dk <decryption key> • -src <source definition file> • -dst <dest url> • -log <log url>
TOOL – DISTCRYPTO - conti • Source Definition File (XML format) • src • path • format: • raw • Sequence • the full class name of a class which implement CryptoHandler for customized format. • includeFilter & excludeFilter • stripSuffix & appendSuffix • keyClassName & valueClassName.
TOOL – DISTCRYPTO - conti • Encryption Sample • command • hadoop distcrypto -op encrypt -ek 21EF7D7487F69A19E552C1274A9FCAC721EF7D7487F69A19E552C1274A9F CAC7 -log /tmp/log.distcrypto.encrypt -src file:///working/crypto_encrypt.xml • Source Definition File (crypto_encrypt.xml) • TODO: Not support retrieve keys from key store --- Not Good <configuration><src> <path>/tmp/install.log</path> <format>raw</format> <appendSuffix>.encrypted</appendSuffix> </src></configuration>
HBASE ENCRYPTION HBASE-7544
HBASE ENCRYPTION – HBASE-7544 • Introduce transparent encryption of HBase on disk data. • Transparent encryption at the CF level • Two-tier key architecture for consistency with best practices for this feature in the RDBMS world • Flexible and non-intrusive key rotation
HBASE ENCRYPTION – HBASE-7544
HBASE ENCRYPTION – HBASE-7544 HFile Block0 …… Block N Meta Block0 …… Meta Block N File Info Data Block Index Mwta Block Index Fixed File Trailer Key block data format 1 byte ordinal 4 bytes key data length encrypted key data Encryption KeyBlock Offset
HBASE-7544 SETTINGS 1. Set up the keystore with a secret key Create a secret key of appropriate length for AES. $ keytool -keystore /path/to/hbase/conf/hbase.jks -storetype jceks -storepass password -genseckey -keyalg AES -keysize 256 -alias ${USER} Press RETURN to store the key with the same password as the store
HBASE-7544 SETTINGS 2. Configure HBase to use the keystore Add this to the hbase-site.xml file: <property> <name>hbase.crypto.keyprovider</name> <value>org.apache.hadoop.io.crypto.KeyStoreKeyProvider</value> </property> <property> <name>hbase.crypto.keyprovider.parameters</name> <value><![CDATA[keyStoreUrl=file:///path/to/hbase/conf/ hbase.jks&keyStoreType=JCEKS&password=password]]></value> </property>
HBASE-7544 SETTINGS 3. Create the table $ ./bin/hbase shell hbase(main):001:0> create 'test', {NAME=>'t', CRYPTO=>'AES', CRYPTO_KEY=>'123456'}
HBASE-7544 • CF key rotation • CF key is changed by modifying the column descriptor via HBaseAdmin. • Then, major compaction is triggered either on the table at once or region by region. • Performance • Using this AES-NI codec, HFile read and write code paths introduces an overhead roughly on par with GZIP compression for reads, and half that as for writes.
OTHER RELATED JIRAS • MAPREDUCE-4491: Encryption and Key Protection • 4550: Key Protection : Define Encryption and Key Protection interfaces and default implementation • 4551: Key Protection : Add ability to read keys and protect keys in JobClient and TTS/NodeManagers • 4552: Encryption: Add support for PGP Encryption • 4553: Key Protection : Implement KeyProvider to read key from a WebService Based KeyStore • 5025: Key Distribution and Management for supporting crypto codec in Map Reduce
SECURITY WEB KEYSTORE SERVER safe (http://benoyantony.github.com/safe/) Web service based keystore Support ACL Per Key Authenticates the user using SPNego Base on Cloudera Alfredo, a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP. WEB Server (safe(alfredo)) KDC user authorization authentication MR/Hbase + WebStoreKeyProvider
OTHER TODOs • Hive support • https://issues.apache.org/jira/browse/HIVE-5207 • Support data encryption for Hive tables • https://issues.apache.org/jira/browse/HIVE-4227 • Add column level encryption to ORC files (Created: 25/Mar/13 17:14) • Pig support • https://issues.apache.org/jira/browse/PIG-3289 • Encryption aware load and store functions
Q & A

Recommended

Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
shrey mehrotra
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Kashif Khan
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_security
Adam Muise
 
Hadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateHadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the Gate
Steve Loughran
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
POSSCON
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117rev
Jason Shih
 

Recommended

Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
shrey mehrotra
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Kashif Khan
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_security
Adam Muise
 
Hadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateHadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the Gate
Steve Loughran
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
POSSCON
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117rev
Jason Shih
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Kevin Minder
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
Owen O'Malley
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Steve Loughran
 
Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster Access
Cloudera, Inc.
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
Hortonworks
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
bigdatagurus_meetup
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, Future
Uwe Printz
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
Sriharsha Chintalapani
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
StreamNative
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowDataWorks Summit
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
trihug
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Shivaji Dutta
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
Cloudera, Inc.
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Lucidworks
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Hadoop security landscape
Hadoop security landscapeHadoop security landscape
Hadoop security landscape
Sujee Maniyam
 
Launching your career in Big Data
Launching your career in Big DataLaunching your career in Big Data
Launching your career in Big Data
Sujee Maniyam
 

More Related Content

What's hot

Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Kevin Minder
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
Owen O'Malley
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Steve Loughran
 
Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster Access
Cloudera, Inc.
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
Hortonworks
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
bigdatagurus_meetup
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, Future
Uwe Printz
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
Sriharsha Chintalapani
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
StreamNative
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowDataWorks Summit
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
trihug
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Shivaji Dutta
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
Cloudera, Inc.
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Lucidworks
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 

What's hot (20)

Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
 
Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster Access
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, Future
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and Tomorrow
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 

Viewers also liked

Hadoop security landscape
Hadoop security landscapeHadoop security landscape
Hadoop security landscape
Sujee Maniyam
 
Launching your career in Big Data
Launching your career in Big DataLaunching your career in Big Data
Launching your career in Big Data
Sujee Maniyam
 
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
HDP Advanced Security: Comprehensive Security for Enterprise HadoopHDP Advanced Security: Comprehensive Security for Enterprise Hadoop
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
Hortonworks
 
Reference architecture for Internet of Things
Reference architecture for Internet of ThingsReference architecture for Internet of Things
Reference architecture for Internet of Things
Sujee Maniyam
 
Securing Hadoop with Apache Ranger
Securing Hadoop with Apache RangerSecuring Hadoop with Apache Ranger
Securing Hadoop with Apache Ranger
DataWorks Summit
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
Cloudera, Inc.
 
Big Data Security and Governance
Big Data Security and GovernanceBig Data Security and Governance
Big Data Security and Governance
DataWorks Summit/Hadoop Summit
 
Protecting Enterprise Data in Apache Hadoop
Protecting Enterprise Data in Apache HadoopProtecting Enterprise Data in Apache Hadoop
Protecting Enterprise Data in Apache Hadoop
Owen O'Malley
 
Data protection2015
Data protection2015Data protection2015
Data protection2015
Owen O'Malley
 
Risk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedRisk Management for Data: Secured and Governed
Risk Management for Data: Secured and Governed
Cloudera, Inc.
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in Hadoop
Owen O'Malley
 
Hadoop to spark_v2
Hadoop to spark_v2Hadoop to spark_v2
Hadoop to spark_v2
elephantscale
 
Hadoop and Big Data Security
Hadoop and Big Data SecurityHadoop and Big Data Security
Hadoop and Big Data Security
Chicago Hadoop Users Group
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Biju Nair
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Blue Coat
 
Apache Ranger
Apache RangerApache Ranger
Apache Ranger
Rommel Garcia
 
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Hortonworks
 
Apache Spark
Apache SparkApache Spark
Apache Spark
Uwe Printz
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
Cloudera, Inc.
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
Coastal Pet Products, Inc.
 

Viewers also liked (20)

Hadoop security landscape
Hadoop security landscapeHadoop security landscape
Hadoop security landscape
 
Launching your career in Big Data
Launching your career in Big DataLaunching your career in Big Data
Launching your career in Big Data
 
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
HDP Advanced Security: Comprehensive Security for Enterprise HadoopHDP Advanced Security: Comprehensive Security for Enterprise Hadoop
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
 
Reference architecture for Internet of Things
Reference architecture for Internet of ThingsReference architecture for Internet of Things
Reference architecture for Internet of Things
 
Securing Hadoop with Apache Ranger
Securing Hadoop with Apache RangerSecuring Hadoop with Apache Ranger
Securing Hadoop with Apache Ranger
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
 
Big Data Security and Governance
Big Data Security and GovernanceBig Data Security and Governance
Big Data Security and Governance
 
Protecting Enterprise Data in Apache Hadoop
Protecting Enterprise Data in Apache HadoopProtecting Enterprise Data in Apache Hadoop
Protecting Enterprise Data in Apache Hadoop
 
Data protection2015
Data protection2015Data protection2015
Data protection2015
 
Risk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedRisk Management for Data: Secured and Governed
Risk Management for Data: Secured and Governed
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in Hadoop
 
Hadoop to spark_v2
Hadoop to spark_v2Hadoop to spark_v2
Hadoop to spark_v2
 
Hadoop and Big Data Security
Hadoop and Big Data SecurityHadoop and Big Data Security
Hadoop and Big Data Security
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
 
Apache Ranger
Apache RangerApache Ranger
Apache Ranger
 
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
 
Apache Spark
Apache SparkApache Spark
Apache Spark
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
 

Similar to Hadoop Security Now and Future

comp security lab.ppsx
comp security lab.ppsxcomp security lab.ppsx
comp security lab.ppsx
DesuWajana
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
Ernie Turner
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
Hyperledger Korea User Group
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
Michel Schudel
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWS
Amazon Web Services
 
Infrastructure as Code: Manage your Architecture with Git
Infrastructure as Code: Manage your Architecture with GitInfrastructure as Code: Manage your Architecture with Git
Infrastructure as Code: Manage your Architecture with Git
Danilo Poccia
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraForm
Wesley Charles Blake
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Tom Kerkhove
 

Similar to Hadoop Security Now and Future (20)

comp security lab.ppsx
comp security lab.ppsxcomp security lab.ppsx
comp security lab.ppsx
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWS
 
Infrastructure as Code: Manage your Architecture with Git
Infrastructure as Code: Manage your Architecture with GitInfrastructure as Code: Manage your Architecture with Git
Infrastructure as Code: Manage your Architecture with Git
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraForm
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 

More from tcloudcomputing-tw

Session 4 - News from ACS Community
Session 4 - News from ACS CommunitySession 4 - News from ACS Community
Session 4 - News from ACS Communitytcloudcomputing-tw
 
Session 3 - CloudStack Test Automation and CI
Session 3 - CloudStack Test Automation and CISession 3 - CloudStack Test Automation and CI
Session 3 - CloudStack Test Automation and CItcloudcomputing-tw
 
Session 2 - CloudStack Usage and Application (2013.Q3)
Session 2 - CloudStack Usage and Application (2013.Q3)Session 2 - CloudStack Usage and Application (2013.Q3)
Session 2 - CloudStack Usage and Application (2013.Q3)tcloudcomputing-tw
 
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)tcloudcomputing-tw
 
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
tcloudcomputing-tw
 
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
tcloudcomputing-tw
 
Hadoop Family and Ecosystem
Hadoop Family and EcosystemHadoop Family and Ecosystem
Hadoop Family and Ecosystem
tcloudcomputing-tw
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-22012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
tcloudcomputing-tw
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-12012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
tcloudcomputing-tw
 

More from tcloudcomputing-tw (9)

Session 4 - News from ACS Community
Session 4 - News from ACS CommunitySession 4 - News from ACS Community
Session 4 - News from ACS Community
 
Session 3 - CloudStack Test Automation and CI
Session 3 - CloudStack Test Automation and CISession 3 - CloudStack Test Automation and CI
Session 3 - CloudStack Test Automation and CI
 
Session 2 - CloudStack Usage and Application (2013.Q3)
Session 2 - CloudStack Usage and Application (2013.Q3)Session 2 - CloudStack Usage and Application (2013.Q3)
Session 2 - CloudStack Usage and Application (2013.Q3)
 
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
 
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
 
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
 
Hadoop Family and Ecosystem
Hadoop Family and EcosystemHadoop Family and Ecosystem
Hadoop Family and Ecosystem
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-22012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-12012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
 

Recently uploaded

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 

Recently uploaded (20)

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 

Hadoop Security Now and Future

  • 2.
  • 3.
  • 4. WITHOUT KERBEROS • Authorization Ensuring the user can only do things that they are allowed to do • Yes: Owner/Group Permission • Authentication Ensuring the user is who they claim to be • NO
  • 7. KERBEROS CONFIG BECOMING EASY • Cloudera • Cloudera Manager • HDP • Ambari – Security Wizard --- ambari-1.2.5
  • 8.
  • 10. HADOOP GATEWAY - NOW • Webhdfs • Rest: curl "http://GATEWAYHOST/webhdfs/v1/PATH?[user.name=USER&]op=…” • Hadoop: hadoop fs -fs webhdfs://GATEWAYHOST:14000 -cat FILe_PATH • Oozie • REST API , supports direct submission of MapReduce, Pig, and Hive jobs • Steps • Use webhdfs to upload your files and jars • create an oozie workflow • Hbase • Hbase Stargate Rest Gateway • Hbase Thrift server
  • 11. HADOOP GATEWAY - FUTURE • Apache Knox Gateway Provides a single point of authentication and access for Apache™ Hadoop® services in a cluster
  • 12. HADOOP GATEWAY - FUTURE • Apache Knox Gateway • Integrate with the existing frameworks for Active Directory /LDAP • Shell and Rest Interface support • Currently working on kerberized cluster support
  • 13.
  • 14. HADOOP DATA ENCRYPTION • Disk Encryption • Partition Encryption  dm-crypt • File System Encryption • Folder Encryption  encryptfs • Hadoop Encryption Framework • Just encrypt what it should be
  • 15. HADOOP ENCRYPTION FRAMEWORK - API Local File HDFS encrypt/ decrypt HDFS File Encrypt/decry pt
  • 16. HADOOP ENCRYPTION FRAMEWORK - MR File Map File Reduce HDFS HDFS File Encryption/Decryption All the Path(Stages)
  • 17. JIRAS • hadoop-9331: Hadoop crypto codec framework and crypto codec implementations • hadoop-9332: Crypto codec implementations for AES • hadoop-9333: Hadoop crypto codec framework based on compression codec • mapreduce-5025: Key Distribution and Management for supporting crypto codec in Map Reduce • hbase-7544: Transparent table/CF encryption
  • 18. Brief • Two Crypto Typical Case in Hadoop • Crypto API Case: Using AES Key (Store in KeyStore) to Encrypt/Decrypt Data • MR CryptoContext Case: Encrypt the MR output • Tool – Distcrypto • Hbase Encryption • Other Related JIRAs and Security Key Store(Manager) • TODOs
  • 19. KEY STORE TOOL - KEYTOOL A key and certificate management utility. • Create & Store an AES key • keytool -keystore /tmp/hbase.jks -storetype jceks -storepass 123456 -genseckey - keyalg AES -keysize 256 -alias hbase • Create & Store an RSA Private Key • keytool -genkey -keyalg RSA -keysize 2048 -storetype jceks -storepass 123456 - keystore privateKeyStore.jks -alias testPrivate • Export Certificate from KeyStore to a cert file • keytool -export -keystore privateKeyStore.jks -storetype jceks -storepass 123456 - alias testPrivate -file publicKey.crt • Import a cert file to a KeyStore • keytool -import -trustcacerts -file publicKey.crt -storetype jceks -storepass 123456 - alias testPublic -keystore publicKeyStore.jks
  • 20. CRYPTO API CASE: USING AES KEY (STORE IN KEYSTORE) TO ENCRYPT/DECRYPT DATA
  • 21. CRYPTO API CASE: USING AES KEY (STORE IN KEYSTORE) TO ENCRYPT/DECRYPT DATA Use Crypto API to retrieve AES secret key from a key store file and use the key to encrypt/decrypt data • KeyProvider • CryptoContext • CryptoCodec • Sample Code
  • 22. KeyProvider - KeyStoreKeyProvider • To retrieve secret key from specified Key Store File • Parameters • keyStoreUrl & password • keyStoreType: JCE, JCEKS …… • keyPasswordFile & sharePassword • Initial: keyProvider.init(String parameters) • String parameters = “file:///etc/keystore/mapred.jks&keyStoreType=JCEKS &password=123456” • String parameters = KeyStoreKeyProvider.getKeyStoreParameterString(fileUrl, StoreType, StorePassword, null, true); • Get: keyProvider.getKeys(String [])
  • 23. CryptoContext • To store key related info • Key Attributes • Raw Key Data • Key Type: SYMMETRIC_KEY, PUBLIC_KEY, PRIVATE_KEY, CERTIFICATE • Cryptographic Algorithm: e.g AES • Cryptographic Length
  • 24. CryptoCodec • A wrap, contain CryptoContext and provide Crypto IO Stream • Major member • CryptoContext • Crypto IO Stream Method • createOutputStream(……) • createInputStream(……)
  • 25. SAMPLE CODE --- FILE ENCRYPTION
  • 26. SAMPLE CODE --- FILE ENCRYPTION - conti
  • 28. MR CRYPTOCONTEXT CASE: ENCRYPT THE MR OUTPUT Using provided CryptoContext to encrypt the Map Reduce output • KeyProviderConfig • CryptoContextProvider • Sample Code
  • 29. KeyProviderConfig • Members • keyProvider • keyProviderParameters • Methods • getKeyProvider() • getKeyProviderParameters()
  • 30. CryptoContextProvider Provide several static helper methods to update Crypto related Job Configurations. For example, store the following Parameters and Secrets to the Job Credential in the secret key list • mapred.[[[STAGE]]].crypto.context.provider.parameters • mapred.[[[STAGE]]].crypto.context.secrets [[[STAGE]]]: input, output, map.output  AbstractCryptoContextProvider  FileMatchCryptoContextProvider  KeyProviderCryptoContextProvider Credentials credentials = jobConf.getCredentials(); credentials.addSecretKey(new Text("mapred.map.output.crypto.context.provider.parameters"), parameters); credentials.addSecretKey(new Text("mapred.map.output.crypto.context.secrets"), secrets);
  • 31. AbstractCryptoContextProvider  Methods  setInputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)  setMapOutputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)  setOutputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)
  • 32. FileMatchCryptoContextProvider Provides the ability to select the appropriate CryptoContext according to the file path FileMatches fileMatches = new FileMatches(KeyContext.derive("12345678")); fileMatches.addMatch("^.*/input1.intel_aes$", KeyContext.derive("1234")); fileMatches.addMatch("^.*/input2.intel_aes$", KeyContext.derive("5678")); FileMatchCryptoContextProvider.setInputCryptoContextProvider(jobConf, fileMatches, null);
  • 33. KeyProviderCryptoContextProvider Not only include the capability of FileMatchCryptoContextProvider also provide the ability to retrieve the Key from Key Store FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 128)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true); KeyProviderCryptoContextProvider.setInputCryptoContextProvider(jobConf, fileMatches, true, keyProviderConfig);
  • 34. SAMPLE CODE - ENCRYPT THE MR OUTPUT Configuration conf = new Configuration(); Job job = new Job(conf, "wordcount"); JobConf jobConf = (JobConf)job.getConfiguration();
  • 35. SAMPLE CODE - ENCRYPT THE MR OUTPUT Configuration conf = new Configuration(); Job job = new Job(conf, "wordcount"); JobConf jobConf = (JobConf)job.getConfiguration(); FileOutputFormat.setOutputCompressorClass(job, AESCodec.class); jobConf.set(AESCodec.CRYPTO_COMPRESSOR, org.apache.hadoop.io.compress.SnappyCodec);
  • 36. SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256));
  • 37. SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true);
  • 38. SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true); KeyProviderCryptoContextProvider.setOutputCryptoContextProvider(jobConf, fileMatches, false, keyProviderConfig); ……. job.waitForCompletion(true);
  • 39. MORE IN KeyProviderCryptoContextProvider • Using asymmetric key (RSA) to protect Parameters & Secrets
  • 40. MORE IN KeyProviderCryptoContextProvider • Using asymmetric key (RSA) to protect Parameters & Secrets CredentialProtection credentialProtection = new CredentialProtection(jobConf, RSACredentialProtectionCodec.class, encryptionKeyProviderConfig, encryptionKeyName, decryptionKeyProviderConfig, decryptionKeyName); KeyProviderCryptoContextProvider.setInputCryptoContextProvider( jobConf, fileMatches, false, keyProviderConfig, credentialProtection);
  • 41. MORE IN KeyProviderCryptoContextProvider - Conti • How to use Customized KeyProvider in KeyProviderCryptoContextProvider String keyProviderParameters = KeyStoreKeyProvider.getKeyStoreParameterString( keyStoreFile, keyStoreType, keyStorePassword, keyStorePasswordFile, sharedPassword); KeyProviderConfig keyProviderConfig = new KeyProviderConfig( CustomizeKeyStoreKeyProvider.class.getName(), keyProviderParameters);
  • 42. TOOL – DISTCRYPTO Use MapReduce Job to encrypt, decrypt or key rotate multiple files • Usage • -op <operation> : "encrypt”, "decrypt" and "rotate” • --ek <encryption key> • -dk <decryption key> • -src <source definition file> • -dst <dest url> • -log <log url>
  • 43. TOOL – DISTCRYPTO - conti • Source Definition File (XML format) • src • path • format: • raw • Sequence • the full class name of a class which implement CryptoHandler for customized format. • includeFilter & excludeFilter • stripSuffix & appendSuffix • keyClassName & valueClassName.
  • 44. TOOL – DISTCRYPTO - conti • Encryption Sample • command • hadoop distcrypto -op encrypt -ek 21EF7D7487F69A19E552C1274A9FCAC721EF7D7487F69A19E552C1274A9F CAC7 -log /tmp/log.distcrypto.encrypt -src file:///working/crypto_encrypt.xml • Source Definition File (crypto_encrypt.xml) • TODO: Not support retrieve keys from key store --- Not Good <configuration><src> <path>/tmp/install.log</path> <format>raw</format> <appendSuffix>.encrypted</appendSuffix> </src></configuration>
  • 46. HBASE ENCRYPTION – HBASE-7544 • Introduce transparent encryption of HBase on disk data. • Transparent encryption at the CF level • Two-tier key architecture for consistency with best practices for this feature in the RDBMS world • Flexible and non-intrusive key rotation
  • 47. HBASE ENCRYPTION – HBASE-7544
  • 48. HBASE ENCRYPTION – HBASE-7544 HFile Block0 …… Block N Meta Block0 …… Meta Block N File Info Data Block Index Mwta Block Index Fixed File Trailer Key block data format 1 byte ordinal 4 bytes key data length encrypted key data Encryption KeyBlock Offset
  • 49. HBASE-7544 SETTINGS 1. Set up the keystore with a secret key Create a secret key of appropriate length for AES. $ keytool -keystore /path/to/hbase/conf/hbase.jks -storetype jceks -storepass password -genseckey -keyalg AES -keysize 256 -alias ${USER} Press RETURN to store the key with the same password as the store
  • 50. HBASE-7544 SETTINGS 2. Configure HBase to use the keystore Add this to the hbase-site.xml file: <property> <name>hbase.crypto.keyprovider</name> <value>org.apache.hadoop.io.crypto.KeyStoreKeyProvider</value> </property> <property> <name>hbase.crypto.keyprovider.parameters</name> <value><![CDATA[keyStoreUrl=file:///path/to/hbase/conf/ hbase.jks&keyStoreType=JCEKS&password=password]]></value> </property>
  • 51. HBASE-7544 SETTINGS 3. Create the table $ ./bin/hbase shell hbase(main):001:0> create 'test', {NAME=>'t', CRYPTO=>'AES', CRYPTO_KEY=>'123456'}
  • 52. HBASE-7544 • CF key rotation • CF key is changed by modifying the column descriptor via HBaseAdmin. • Then, major compaction is triggered either on the table at once or region by region. • Performance • Using this AES-NI codec, HFile read and write code paths introduces an overhead roughly on par with GZIP compression for reads, and half that as for writes.
  • 53. OTHER RELATED JIRAS • MAPREDUCE-4491: Encryption and Key Protection • 4550: Key Protection : Define Encryption and Key Protection interfaces and default implementation • 4551: Key Protection : Add ability to read keys and protect keys in JobClient and TTS/NodeManagers • 4552: Encryption: Add support for PGP Encryption • 4553: Key Protection : Implement KeyProvider to read key from a WebService Based KeyStore • 5025: Key Distribution and Management for supporting crypto codec in Map Reduce
  • 54. SECURITY WEB KEYSTORE SERVER safe (http://benoyantony.github.com/safe/) Web service based keystore Support ACL Per Key Authenticates the user using SPNego Base on Cloudera Alfredo, a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP. WEB Server (safe(alfredo)) KDC user authorization authentication MR/Hbase + WebStoreKeyProvider
  • 55. OTHER TODOs • Hive support • https://issues.apache.org/jira/browse/HIVE-5207 • Support data encryption for Hive tables • https://issues.apache.org/jira/browse/HIVE-4227 • Add column level encryption to ORC files (Created: 25/Mar/13 17:14) • Pig support • https://issues.apache.org/jira/browse/PIG-3289 • Encryption aware load and store functions
  • 56. Q & A